Legal

Privacy Policy

Last updated: April 2026

This Privacy Policy describes how Tulex (the "Data Controller" or "Tulex") collects, uses, stores, transfers, and protects the personal data of users of tulex.ai and its related services (the "Services"). This Policy complies with Colombian Law 1581 of 2012 and Decree 1377 of 2013 on personal data protection, as well as applicable international privacy regulations.

1. Data Controller Identification

  • Name: Tulex
  • Contact email: hello@tulex.ai
  • Website: https://tulex.ai

Tulex acts as the Data Controller for personal data collected through the Services and complies with Colombian data protection regulations (Law 1581 of 2012).

2. Legal Framework

This Policy is based on:

  • Colombian Constitution (Article 15 – right to habeas data)
  • Law 1581 of 2012 – General data protection regime
  • Regulatory Decree 1377 of 2013
  • Law 1266 of 2008 – Financial habeas data
  • External Circular 002 of 2015 of the Superintendence of Industry and Commerce
  • External Circular 005 of 2017 on international data transfers

3. Personal Data We Collect

3.1 Data You Provide

When you create an account, subscribe to a plan, fill out a form, or contact us, we may collect:

  • Identification data: full name, ID number (when needed for billing), email, phone.
  • Billing data: address, NIT (if a company), payment information (processed by our payment provider; we do not store card data).
  • Professional information: occupation, area of legal practice, firm or company name.
  • Communications: any information you send us via email, contact forms, or chat.
  • Uploaded content: documents, text, or files you upload to Tulex tools.

3.2 Data We Collect Automatically

When you use the Services, we automatically collect:

  • Browsing data: IP address, browser type, operating system, pages visited, time spent, date and time of access.
  • Device data: model, unique identifiers, language, time zone.
  • Cookies and similar technologies: see our Cookie Policy for more details.
  • Usage data: features used, queries made, interactions with calculators and tools.

3.3 Sensitive Data

We do not intentionally collect sensitive data as defined in Article 5 of Law 1581 of 2012 (racial origin, sexual orientation, biometric data, health data, political opinion, etc.). If you incidentally include sensitive data in content uploaded to Tulex tools, we will process it only with appropriate security measures and delete it when no longer necessary.

4. Purposes of Data Processing

We process your personal data for the following purposes:

  1. Service provision: create and maintain your account, authenticate you, process your requests, and deliver contracted features.
  2. Billing and payments: process payments, issue electronic invoices in compliance with DIAN regulations.
  3. Technical support: handle inquiries, complaints, and support requests.
  4. Operational communications: notify you of service changes, security updates, failures, maintenance.
  5. Commercial communications: send you newsletters, product news, and educational content (only if you have given express authorization, which you can withdraw at any time).
  6. Service improvement: analyze usage of the Services to improve features, detect errors, and develop new functionality.
  7. Legal compliance: respond to requests from competent authorities, prevent fraud, and comply with legal or contractual obligations.
  8. Security: protect the Services and our users from unauthorized access, attacks, and abuse.

We will not use your personal data to train our own AI models without your express consent.

5. Data Subject Authorization

By registering, accepting this Policy, or using the Services, you grant your prior, express, and informed authorization for Tulex to process your personal data in accordance with the purposes described. This authorization may be revoked at any time by sending a request to hello@tulex.ai, without affecting the legality of processing prior to revocation.

For sensitive data or data of minors, we will request additional specific authorization.

6. Data Subject Rights (Habeas Data)

As a data subject, you have the following rights guaranteed by Law 1581 of 2012:

6.1 Access

Know the personal data we have about you, the purposes of processing, and complete information about how we use it.

6.2 Update

Request correction or update of inaccurate, incomplete, or outdated data.

6.3 Rectification

Request correction of errors in your personal data.

6.4 Deletion

Request the deletion of your data when you consider that processing does not comply with constitutional and legal principles, rights, and guarantees, except when there is a legal or contractual obligation to retain them.

6.5 Authorization Revocation

Revoke your authorization at any time, except when there is a legal or contractual obligation that prevents deletion.

6.6 Information About Use

Know how we have used your personal data.

6.7 File Complaints

File complaints with the Superintendence of Industry and Commerce (SIC) for violations of data protection regulations.

7. How to Exercise Your Rights

To exercise any of the above rights, send a request to hello@tulex.ai indicating:

  • Your full name and ID number.
  • Clear description of the right you wish to exercise.
  • Contact details for the response.
  • Any documents supporting your request.

Response Times (Law 1581 of 2012)

  • Access requests: we will respond within a maximum of ten (10) business days from receipt.
  • Complaints (rectification, update, deletion, revocation): we will respond within a maximum of fifteen (15) business days from receipt. If we cannot resolve within this period, we will inform you of the reasons and resolve within the following eight (8) business days.

If you believe your request was not adequately handled, you may file a complaint with the Superintendence of Industry and Commerce (SIC) at https://sic.gov.co.

8. Data Sharing and Transfers

8.1 Data Processors

We share personal data with technology providers acting as Data Processors under our instructions, including:

  • Cloud infrastructure: Amazon Web Services (AWS), Vercel.
  • AI models: Anthropic (Claude), OpenAI (GPT), Google (Gemini).
  • Payment processor: Stripe, Inc. (United States).
  • Analytics: Google Analytics, Vercel Analytics.
  • Communications: transactional email and notification providers.

These providers are contractually required to process data only according to our instructions and to implement appropriate security measures.

8.2 International Transfers

Some of our technology providers are located in the United States and other countries (AWS, Anthropic, OpenAI, Google, Stripe, Vercel). These international transfers are made in accordance with Article 26 of Law 1581 of 2012 and External Circular 005 of 2017 of the SIC, through:

  • Countries with an adequate level of protection recognized by the SIC.
  • Standard contractual clauses with providers that apply guarantees equivalent to Colombian law.
  • Express consent of the data subject upon accepting this Policy.

By accepting this Policy, you expressly authorize the international transfer of your personal data to the providers mentioned, exclusively for the purposes described.

8.3 Legal Requirements

We may disclose your personal data if required by a competent authority through a court or administrative order, or when necessary to comply with a legal obligation.

9. Data Retention

We retain your personal data while your account is active and for the time necessary to fulfill the described purposes. General retention periods:

  • Account data: while the account is active and up to two (2) years after cancellation, except for legal retention obligations.
  • Billing data: ten (10) years in accordance with Article 28 of Law 962 of 2005 and tax regulations.
  • Security logs: six (6) months.
  • Support communications: two (2) years.

After these periods, data will be deleted or anonymized.

10. Data Security

We implement technical, human, and administrative measures to protect personal data against unauthorized access, alteration, loss, misuse, or improper disclosure, including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256).
  • Role-based access control.
  • Strong authentication (including MFA when available).
  • Periodic security audits.
  • Staff training on data protection.
  • Incident response processes.

11. Security Breach Notification

In the event of a security incident significantly affecting your personal data, we will notify you by email as soon as reasonably possible and report the incident to the Superintendence of Industry and Commerce within applicable legal deadlines.

12. Minors

The Services are intended for persons over 18 years of age. We do not intentionally collect personal data from minors. If we discover that we have collected data from a minor without proper authorization, we will delete it as soon as possible. If you believe we have data on a minor, contact us at hello@tulex.ai.

13. Cookies and Tracking Technologies

We use cookies and similar technologies to operate and improve the Services. For more information, see our Cookie Policy.

14. Modifications to This Policy

We may update this Policy periodically to reflect changes in regulations, our practices, or the Services. Material modifications will be notified through the website or by email at least fifteen (15) days before they take effect. The "last updated" date at the top indicates when it was last revised.

15. Contact

For any inquiries, exercise of rights, or complaints related to the processing of your personal data:

  • Email: hello@tulex.ai
  • Suggested subject: "Habeas Data – [Type of request]"
  • Response time: according to legal deadlines described in Section 7.

If you do not receive a satisfactory response, you can file a complaint with:

Superintendence of Industry and Commerce (SIC) Address: Carrera 13 No. 27-00, Floors 1, 3, 5, 7, and 10, Bogotá D.C. Website: https://sic.gov.co